Perfect solution for administrators to obtain system Permissions

Http://www.donews.net/zwell

There are already many ways for administrators to obtain SYSTEM permissions.
The fourth brother mentioned: "MSDN series (3) -- Administrator users directly obtain SYSTEM permissions" and "remote thread injection version to obtain SYSTEM permissions ".
Here, I will first step on the shoulders of my predecessors to list some feasible methods:

1. "Use ZwCreateToken () to create a SYSTEM Token (Token )"
2. HOOK up the ZwCreateProcess (Ex) function of the process to be created, and use winlogon ID to create
3. Insert the remote thread, insert the thread to the system process, and create a new process.

The above three methods are all mentioned by scz, and some problems exist. In fact, we can also:
4. Make the program into a service and run the new process with Parameters

As a service, the SYSTEM is used, and the created process is also the SYSTEM permission.

Of course, I will not use the method mentioned above here, because the existing implementation code can be found online, and some complexity and problems are not a good solution.

Here, I come up with two new solutions to implement this function:

First, let's take a look at how the system detects permissions,
For example, when OpenProcessToken is called, we know that the permission will be verified:
OpenProcessToken-> NtOpenProcessToken-> PsOpenTokenOfProcess-> PsReferencePrimaryToken-> Find the Token = Process-> Token;
|-> ObOpenObjectByPointer calls the TOKEN returned above to check

That is to say, when the system detects the permission, it only obtains the Token item from the EPROCESS structure of the process, so we do not need to continue to follow up in ObOpenObjectByPointer.
The idea is already obvious: Take the System process Token directly and place it in the Token position of our process. Then the SYSTEM considers us as the SYSTEM permission.
At this time, the sub-process created by our process is also the SYSTEM permission. (For the above analysis process, see the WINDOWS source code... ^_^)

Implementation Code:
========================================================== ========================================================== ======================================
# Include <windows. h>
# Include <stdio. h>
# Include <Accctrl. h>
# Include <Aclapi. h>

# Define TOKEN_OFFSET 0xc8 // In windows 2003, its 0xc8, if others version, change it
# Define NT_SUCCESS (Status) (NTSTATUS) (Status)> = 0)
# Define STATUS_INFO_LENGTH_MISMATCH (NTSTATUS) 0xC0000004L)
# Define STATUS_ACCESS_DENIED (NTSTATUS) 0xC0000022L)

Typedef long ntstatus;
Typedef struct _ IO_STATUS_BLOCK
{
NTSTATUS Status;
ULONG Information;
} IO_STATUS_BLOCK, * PIO_STATUS_BLOCK;

Typedef struct _ UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;

# Define OBJ_INHERIT 0x00000002L
# Define OBJ_PERMANENT 0x00000010L
# Define OBJ_EXCLUSIVE 0x00000020L
# Define OBJ_CASE_INSENSITIVE 0x00000040L
# Define OBJ_OPENIF 0x00000080L
# Define OBJ_OPENLINK 0x00000100L
# Define OBJ_KERNEL_HANDLE 0x00000200L
# Define OBJ_VALID_ATTRIBUTES 0x000003F2L

Typedef struct _ OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;

Typedef struct _ SYSTEM_MODULE_INFORMATION
{
ULONG Reserved [2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName [256];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;

Typedef enum _ SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemNotImplemented1,
SystemProcessesAndThreadsInformation,
SystemCallCounts,
SystemConfigurationInformation,
SystemProcessorTimes,
SystemGlobalFlag,
SystemNotImplemented2,
SystemModuleInformation,
SystemLockInformation,
SystemNotImplemented3,
SystemNotImplemented4,
SystemNotImplemented5,
SystemHandleInformation,
SystemObjectInformation,
SystemPagefileInformation,
SystemInstructionEmulationCounts,
SystemInvalidInfoClass1,
SystemCacheInformation,
SystemPoolTagInformation,
SystemProcessorStatistics,
SystemDpcInformation,
SystemNotImplemented6,
SystemLoadImage,
SystemUnloadImage,
SystemTimeAdjustment,
SystemNotImplemented7,
SystemNotImplemented8,
SystemNotImplemented9,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemLoadAndCallImage,
SystemPrioritySeparation,
SystemNotImplemented10,
SystemNotImplemented11,
SystemInvalidInfoClass2,
SystemInvalidInfoClass3,
SystemTimeZoneInformation,
SystemLookasideInformation,
SystemSetTimeSlipEvent,
SystemCreateSession,
SystemDeleteSession,
SystemInvalidInfoClass4,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemAddVerifier,
SystemSessionProcessesInformation
} SYSTEM_INFORMATION_CLASS;

Typedef NTSTATUS (_ stdcall * ZWQUERYSYSTEMINFORMATION)
(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
In out pvoid SystemInformation,
In ulong SystemInformationLength,
Out pulong ReturnLength OPTIONAL
);

Typedef NTSTATUS (CALLBACK * ZWOPENSECTION )(
Out phandle SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);

Typedef VOID (CALLBACK * RTLINITUNICODESTRING) (<